Writeup by vitotafuni for Aaarg

intro reverse linux x86/x64

September 18, 2025

Table of contents

Old school method

  1. decompile the binary
  2. find in the main that passing as argument -2 you got an info from a memory address printed each 4 byte
  3. goto that section (.rodata) and find the solution

Funny and quick method

  1. check what type of file we are dealing with:
$ file aaarg.txt 
aaarg.txt: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f5b07c01242cc5987bed7730c2762ae0491b5ddc, strippe
  1. extract .rodata that is the usual place where static data is in a binary
objdump -s -j .rodata aaarg.txt 

aaarg.txt:     formato del file elf64-x86-64

Contenuto della sezione .rodata:
 402000 01000200 00000000 00000000 00000000  ................
 402010 46e2808d 43e2808d 53e2808d 43e2808d  F...C...S...C...
 402020 7be2808d 66e2808d 39e2808d 61e2808d  {...f...9...a...
 402030 33e2808d 38e2808d 61e2808d 64e2808d  3...8...a...d...
 402040 61e2808d 63e2808d 65e2808d 39e2808d  a...c...e...9...
 402050 64e2808d 64e2808d 61e2808d 33e2808d  d...d...a...3...
 402060 61e2808d 39e2808d 61e2808d 65e2808d  a...9...a...e...
 402070 35e2808d 33e2808d 65e2808d 37e2808d  5...3...e...7...
 402080 61e2808d 65e2808d 63e2808d 31e2808d  a...e...c...1...
 402090 38e2808d 30e2808d 63e2808d 35e2808d  8...0...c...5...
 4020a0 61e2808d 37e2808d 33e2808d 64e2808d  a...7...3...d...
 4020b0 62e2808d 62e2808d 37e2808d 63e2808d  b...b...7...c...
 4020c0 33e2808d 36e2808d 34e2808d 66e2808d  3...6...4...f...
 4020d0 65e2808d 31e2808d 33e2808d 37e2808d  e...1...3...7...
 4020e0 66e2808d 63e2808d 36e2808d 37e2808d  f...c...6...7...
 4020f0 32e2808d 31e2808d 64e2808d 37e2808d  2...1...d...7...
 402100 39e2808d 39e2808d 37e2808d 63e2808d  9...9...7...c...
 402110 35e2808d 34e2808d 65e2808d 38e2808d  5...4...e...8...
 402120 64e2808d 7d00                        d...}.
  1. wow that’s something!
  2. let’s extract the string with a bit of bash-ism
objdump -s -j .rodata aaarg.txt | awk '{print $NF}'| tr '\n' '.' | sed 's/\.//g' 
elf64-x86-64rodata:FCSC{f9a38adace9dda3a9ae53e7aec180c5a73dbb7c364fe137fc6721d7997c54e8d

Additional Fun

Check what is in the other part of the binary changing .rodata with .data, .text and .bss.